cscli scenarios install sigmahq/proc_creation_win_susp_powershell_execution_via_dll1type: trigger2name: sigmahq/proc_creation_win_susp_powershell_execution_via_dll3description: |4 Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll. This detection assumes that PowerShell commands are passed via the CommandLine.5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\InstallUtil.exe' || evt.Parsed.Image endsWith '\\RegAsm.exe' || evt.Parsed.Image endsWith '\\RegSvcs.exe' || evt.Parsed.Image endsWith '\\regsvr32.exe' || evt.Parsed.Image endsWith '\\rundll32.exe' || evt.Parsed.OriginalFileName in ['InstallUtil.exe', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.EXE', 'RUNDLL32.EXE']) && (evt.Parsed.CommandLine contains 'Default.GetString' || evt.Parsed.CommandLine contains 'DownloadString' || evt.Parsed.CommandLine contains 'FromBase64String' || evt.Parsed.CommandLine contains 'ICM ' || evt.Parsed.CommandLine contains 'IEX ' || evt.Parsed.CommandLine contains 'Invoke-Command' || evt.Parsed.CommandLine contains 'Invoke-Expression'))7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t1218.0111516 label: "Potential PowerShell Execution Via DLL"17 behavior : "windows:audit"18 remediation: false1920scope:21 type: ParentProcessId22 expression: evt.Parsed.ParentProcessId2324